In this video we will discuss about 1. The advantage of using HTTPS over HTTP protocol2. How to identify, if the web application i am accessing, use HTTPS protocol3. How to configure HTTPS instead of HTTP for asp.net web applications4. What is SSL or Secure Socket Layer and how is it different from HTTPS5. Who issues server certificates and can't I generate test certificates6. What about performance when using HTTPS over HTTP

Advantages of using HTTPSHTTP stands for Hyper Text Transfer Protocol. HTTPS, stands for Hyper Text Transfer Protocol Secure. As the name suggests, HTTPS is more secure than HTTP. When the web server and the client communicate, using HTTP, protocol, the messages that are exchanged over the internet are not encrypted. Any one can secretly listen and see the messages that are exchanged between the client and the web server. That's why, any sensitive information like passwords, financial transactions should never be done over HTTP protocol. Most of the banking applications use HTTPS protocol. Messages exchanged between the client and web server, using the HTTPS protocol are encrypted and are very secure. HTTP use port 80 and HTTPS use port 443.

How to identify, if the web application i am accessing, use HTTPS protocolThere are 2 ways1. Browser displays a LOCK symbol either in the address or status bar. Click on the lock icon, for more information like, the certificate issuing authority, encryption key length etc.2. In the address bar look for HTTPS instead of HTTP

How to configure HTTPS instead of HTTP for asp.net web applicationsIIS is the web server for asp.net web applications. so the configuration to use HTTPS, is usually done in IIS. The encryption and decryption of messages exchanged between the client and the server is done by server certificates. These server certificates needs to be installed on the IIS server. We will discuss about IIS configuration in a later video session.

What is Secure Socket Layer and how is it different from HTTPSHTTPS is HTTP (HyperText Transfer Protocol) plus SSL (Secure Socket Layer). SSL standing for Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a web server and a browser, so that the data sent over the Internet can’t be read by others. When a user requests a secure Web page, the server generates an encryption key for the user’s session and then encrypts the page’s data before sending a response. On the client side, the browser uses that same encryption key to decrypt the requested Web page and to encrypt new requests sent from that page. SSL uses server certificates for encryption and decryption. An SSL certificate contains a public key and certificate issuer. Not only can clients use the certificate to communicate with a server, clients can verify that the certificate was cryptographically signed by an official Certificate Authority. For example, if your browser trusts the VeriSign Certificate Authority, and VeriSign signs my SSL certificate, your browser will inherently trust my SSL certificate.

Who issues server certificates and can't I generate test certificatesServer certificates are issued by an entity called certificate authority. There are several trusted certificate authorities like1. verisign2. Thawte 3. Geotrust4. Comodo 5. GoDaddy

The certificate authority acts as a clearing house to verify the server’s identity over the Internet. When a browser requests a page over https, the browser also, requests the server certificate and checks it against a list of trusted sites provided by the certificate authority. If the server certificate does not match one of the sites already authorized by the user, or if the server certificate does not match the Web address for which it was registered, or if there are any other problems with the server certificate, a warning message is displayed. The warning message from internet explorer is shown below.

Besides providing encryption and decryption for secure data transmission, certificate authority also provides assurance to users that a website is authentic.

It is also possible to generate our own server certificates, using a tool called makecert.exe. This tool comes with visual studio and can be used from visual studio command prompt. The certificates that are generated using this tool, can only be used for testing purposes and not for production use. We will discuss about generating and installing server certificates in our next video session.

What about performance when using HTTPS over HTTPExtra processing time is required for HTTPS, for key negotiation. Key negotiation is also termed as SSL handshake. The handshake allows the server to authenticate itself to the client.